Practical Test Revision
Warning!
- Content here is not fully updated
Static Analysis Tools
- PEview - view when the PE is compiled in the file header
Why do we need to know when the file is compiled?
- The time it is compiled can show whether the malware is old/new. If it is a zero-day/relatively new malware, then most AVs might not be able to detect it.
- Dependency Walker - find possible functionalities of a malware
- BinText - find possible functionalities of a malware
- PEID - view whether malware is packed or unpacked
How to Static Analysis
Warning!
- The following is a suggested method to perform analysis, however, do use the tools as and when you feel like it is required.
1. Open PEview to find out when the PE is compiled
Location to check compilation date and time stamp is (IMAGE_NT_HEADERS -> IMAGE_FILE_HEADER)
2. Open PEID and analyse the results - is it packed or unpacked?
To find out whether it is packed or not, there are two main ways:
- Look at the line above the 'Multi Scan' option. This will show the compiler used to compile the PE.
How to tell if PE is packed or not?
- Recognisable Programming Language - malware is not packed (eg. Microsoft Visual Studio C++)
- Any sort of obscuring/encryption(any of these two actions pack malware) software, or hiding of the compiler name - malware may be packed (high chance) (eg. PEncrypt)
Space where the compiler is supposed to be is empty?
- You can press the right arrow (->) at the bottom right of PEiD and perform a Normal Scan , Deep Scan and Hardcore Scan. The compiler should show.
- If still no signature detected, see imports and strings.(Dependency Walker and BinText) Packed malware usually have very little imports and more gibberish strings
-
Press the arrow to the right of 'EP Section'. A popup as seen below should appear.
As mentioned previously, Raw Size > Virtual Size helps to identify whether the malware is packed or not. If the R.Size is indeed > V.Size, then the malware is unpacked.
3. Open Dependency Walker and observe the PE
- Firstly, observe the number of files when unpacked. If the number of files are lesser than 4, then it is a 🚩 red flag - suspect that the malware is packed. Some common
.dlls
are as such: - - kernel32.dll
- Low level OS operations with includes memory management, input/output (I/O) operations, process and thread creation. - user32.dll
- Creates and manipulates the standard elements of the Windows user interface, such as the desktop, windows, and menus. - advapi.dll
- Advanced functionality that comes in addition to the kernel. Responsible for things like the Windows registry, restarting and shutting down the system. - WS2_32.dll
- Use for low level socket connection used to run most network and internet applications. - winnet.dll
- Higher level API that implements some higher level protocols for internet communication.
Secondly, packed malware will have lesser strings (check via BinText) as the files in the malware is either encrypted or obscured in different ways to make analysis difficult.
4. Open BinText and observe the PE. Look for the following things:
-
Network Based Indicators
- Some examples being connection to http/https or ip address or domain , creation of sockets.
Some more examples below:
- ws2_32
- CONNECT %s%HTTP/1.0 , followed by ?503 and 200 (May be status codes)
- Any domain names
-
Host Based Indicators
- Some examples being creation of mutext or process , file manipulation or registry records
- Some more examples below:
- SOFTWARE\Classes\http -> as long as there is SOFTWARE, will refers to registry records
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> refering to downloading the malware at Run folder in the registry(files in this folder will be executed when the computer starts,sets up persistence)
(Mutex - used to protect a shared resource from simultaneous acces by multiple processes. A string which processes must own so that it can execute the code that requires access to a shared resource. If processes do not have ownership of the mutext, they are unable to execute their own code that requires access to a shared resourced and must wait until they have ownership of the mutex.)
-
Important, Perhaps some suspicious things?
- File Names (eg. vmx32to64.exe)
- File Directory path
- URL, Domains, IP Address
Dynamic Analysis Tools
- ApateDNS - record down any requests of connections to a domain/IP by the malware
- CMD netcat -
- Process Explorer -
- Process Monitor - any process/registry keys accessed or modified in any way will be seen here , highly noisy 😞
- Regshot - scan directories and registry details for any changes that have been made
How to Dynamic Analysis
1. Set the IP Address in Local Area Connection -> DNS Server -> 127.0.0.1
Why do we need to set the DNS Server to 127.0.0.1 (loopback address, is a fake network) ?
- Some malwares will try to establish a connection to a domain/IP and you can use dynamic malware analysis tools to help detect such attempts
- Using this fake network address will secure the network, and the rest of the internet or LAN is not affected even if the malware is a worm.
2. Set DNS Reply address in ApateDNS to 127.0.0.1 and start the server
3. Execute Process Explorer and Process Monitor
- In Process Monitor, you can clear the records by pressing onto the capture button to disable it from listening (but remember to enable it again later), then pressing onto the clear button.
4. Execute in two separate Command prompt tabs the following two commands : `nc -l -p 80 (http) and nc -l -p 443 (https)
5. Execute RegShot and take first shot
- Make sure that the option to scan directory is checked (defaultly not checked) The directory to scan should also be C:\
Make sure you do these before Step 5!
- All dynamic analysis tools should be open before taking the first shot - if not the shots will show not just the changes made to the device by the malware, but also by opening the tools.
- In Regshot, make sure that the Scan Dirs is set to c:/
6. Ensure that your screen has the 'Process Explorer' tab at the front, then execute the malware - * watch out whether it is a .dll or an .exe
If the malware creates a service then in the command prompt execute netstart servicename. To stop the service execute netstop servicename.
How to run .dll
files?
- Go to cmd
cd
to the directory where the malware is.- The next command -
rundll32.exe (DLLNAME), [export argument (found in dependancy walker)]
7. Check that the malware has run/exectued in Process Explorer - the process of running the malware will pop out there (may bevery fast though)
8. If malware has executed, take a second shot in RegShot and compare
Must take note!
- Under the Files added, any
.pf
files are prefix files, not a file created by the malware - Under Values Added, look out for registry changes to CurrentVersion/Run - malware is inserting itself to the folder of processes to run when a computer boots/starts up
- Under Values Modified, stay away from those that say 'Cryptography' - these are quite normal changes
- Under Values Modified, also check for Services that the malware may have
9. Check the rest of with the rest of the tools - ApateDNS, the two cmds (for garbage text-> usually encrypted) , which provide Network-Based Indicators, which are indicators of compromise
ApateDNS notes
- Ignore those ipaddr,msupdate and localtime
10. Check on Process Explorer
There are 3 things you can do in process explorer that can make huge differences to your final inference of the malware's functionality.
-
See
.dlls
functionality (a huge cheat for those unsure of .dlls functionalities 🤩) -
Observe Strings in image and memory
If there are any extra strings in memory, it would hint that the malware is a packed malware as there when the PE is run, it is unpacked and executed. As such the additional strings in memory only show that the PE was previously packed.
Dr Divyan's protip
- Ensure what you have found in Dynamic Analysis matches strings/information found in Static Analysis.
- (Take this with a grain of salt), if you press on the 'Verify' button, it will help to check whether the PE is legitimate or not.
11. Check on Process Monitor - Filter by Process Name/PID
After setting a filter via process name (eg. Lab03-01.exe or PID: 1120), set further filters for operations to help to further narrow down the scope of actions recorded by Process Monitor.
Tools that may/may not be used during both analysis
-
MD5hash - compare the hash value of created files to the original files,
Sometimes, malwares like to duplicate itself in the WINDOWS32 file and rename itself to hide the fact that the .dll/.exe is harmful.
3Ls
- Little Endian
- Left side
- Least significant bit
Created: June 11, 2023